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CZ) ■ Abstract. This paper shows how a recently developed view of typing as small-step ab- 

stract reduction, due to Kuan, MacQueen, and Findler, can be used to recast the de- 
velopment of simple type theory from a rewriting perspective. We show how standard 
meta-theoretic results can be proved in a completely new way, using the rewriting view 
^ 1 of simple typing. These meta-theoretic results include standard type preservation and 

progress properties for simply typed lambda calculus, as well as generalized versions where 
typing is taken to include both abstract and concrete reduction. We show how automated 
analysis tools developed in the term-rewriting community can be used to help automate 
the proofs for this meta-theory. Finally, we show how to adapt a standard proof of nor- 
malization of simply typed lambda calculus, for the rewriting approach to typing. 



1. Introduction 



- * — i ■ 

This paper develops a significant part of the theory of simple types based on a recently 
introduced rewriting approach to typing. The idea of viewing typing as a small-step abstract 
reduction relation was proposed by Kuan, MacQueen, and Findler in 2007, and explored 
also by Ellison, §erbanu1;a, and Ro§u [131 El LH]- These works sought to use rewrite systems 
to specify typing in a finer-grained way than usual type systems. Our motivation is more 
foundational: we seek to prove standard meta-theoretic properties of type systems directly, 
based on the rewriting formulation. The goal is to develop new methods which could 
provide a different perspective on familiar type systems, and perhaps yield new results for 
more advanced type systems. 
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Our focus in this paper is simple type systems, where the central typing construct is 
the function type T =>■ T' . We will view such types as abstractions of functions, and in- 
crementally rewrite (typable) functions to such function types, using an abstract small-step 
reduction relation. It will be straightforward to prove the standard property of type safety, 
based on type preservation and progress, using this rewriting formulation. This viewpoint 
also allows us to combine the usual concrete reduction relation and our new abstract reduc- 
tion relation together, simply by taking their set-theoretic union. We will prove that this 
combined reduction relation is confluent for typable terms, defined as terms which reduce, 
using abstract steps, to a type. To prove both type preservation and confluence we use 
observations developed in the context of abstract reduction systems. We then develop our 
final main result, which is a proof of normalization for the simply typed lambda calculus, 
based on the rewriting approach. This proof has several novel features, which shed new 
light on the reducibility semantics of types used in standard proofs of normalization. 

This paper expands in several important ways on a previous paper of Stump, Kimmell, 
and El Haj Omar, which was presented at RTA 2011 [20J: 

• We use the rewriting method to prove type preservation for full /3-reduction; the 
RTA '11 paper showed it only for call- by- value computation. 

• We prove preservation for a new notion we call generalized typing, where concrete 
and abstract reduction steps can be intermixed. This generalizes the so-called direct 
computation rules of the well-known NuPRL system [2] . 

• We correct an error in the RTA '11 paper, where we claimed that type preservation 
is a corollary of confluence for typable terms. In fact, confluence is a straightforward 
corollary of type preservation. 

• We have shown how a standard proof of normalization for simply typable terms is 
adapted to the rewriting approach to typing. This adaptation reveals an interesting 
perspective on types as abstractions of terms. 

• Due to the amount of new material, we have dropped the treatment of several 
variants of STLC, which are studied in the RTA paper. 

As Zantema had a substantial contribution to these extensions, he was added as an author. 

The remainder of the article is organized as follows. Section [2] provides a brief in- 
troduction to abstract reduction systems as used later in the paper. Section [3] gives a 
standard presentation of the simply typed lambda calculus along with the fundamental 
meta-theoretic properties. Section H] recasts the simply typed lambda calculus static and 
operational semantics within the framework of abstract reduction systems. Section [5] gives 
some abstract reduction theory to be used in Section [6] where type preservation and con- 
fluence is proved. Section [7] then proves progress and type safety. Section [8] proves type 
preservation and confluence for a system with uniform syntax for types and term. For this 
result, we use automated tools developed in the term-rewriting community, to verify some 
of the properties necessary for applying theorems proved in Section [5j Section [9] extends 
these to a generalized notion of typing, based on the union of the concrete and abstract 
reduction relations. Section [10] applies a rewriting approach to prove the normalization of 
well-typed simply typed lambda calculus terms. We conclude and identify future directions 
in Section [TT1 
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2. Rewriting Preliminaries 



In this section we collect some basic properties in the setting of abstract reduction systems. 
That is, we consider relations — > being a subset of X x X for some arbitrary set X. 

We write • for relation composition, and inductively define — >°= id (the identity) and 
— >- n =— > n ~ 1 • — > for n > 0. As usual, for a relation — > we write 4— for its reverse, — > = for its 
reflexive closure (zero or one times), — > + = USi ~~ ^ f° r ^ s transitive closure (one or more 
times), and — = USo ~~ ^ ^ or ^ s transitive reflexive closure (zero or more times). We will 
also use standard notation R(A) for the image of set A under relation R: 

R{A) = {a' | 3a £ A.(a,a) € R} 

We can use this notation to denote the set of predecessors of a set A with respect to — > as 
<K* (A). We will also write Ma for {(a, a) \ a € ^4}. 

A relation — > is said to 

• be confluent (Church Rosser, CR(->)) if <K* • -)■* C -)■* • «-*, 

• be locally confluent (Weak Church Rosser, WCR(-^-)) if ^— • — >■ C — >* ■ ^— *, 

• have the diamond property (<>(—>•)) if ^— • — >• C — > = ■ ^— = , 

• be deterministic (det (—>■)) if • — > C id. 

• be terminating if there is no infinite descending chain ai — > a-i — > ■ ■ ■ . 

• be convergent if it is confluent and terminating. 

We will sometimes also call an element x\ € X confluent iff for all X2, x% G X with x\ — >* X2 
and xi — >* X3, there exists with X2 —>* X4 and X3 —¥* £4. It is well-known and easy 

to see that det(->) o(^) => CR{-^) => WCR(-+). 

Finally, if — 7- a and — >i are binary relations, below we will often write —>ba f° r — >a U — 



In this section, we summarize a standard presentation of the simply typed lambda calcu- 
lus (STLC), including syntax and semantics, and statements of the basic meta-theoretic 
properties of type preservation and progress. Sections [H and following will recapitulate 
this development in detail, from the rewriting perspective. Including some type and term 
constants, together with reduction rules for them, is very standard in the study of pro- 
gramming languages and typed lambda calculus. One example is Mitchell's treatment of 
STLC with additional rules [El Section 4.4.3]). For progress, it is indeed instructive to 
include reduction rules for some selected constants. Otherwise, there are no stuck terms 
that should be ruled out by the type system, since in pure STLC, every closed normal form 
is a value, namely a A-abstraction. We treat additional rules representatively (as opposed 
to parametrically) , using constants a and / below. 

3.1. Syntax and Semantics. The syntax for terms, types, and typing contexts is the 
following, where A, f, and a are specific constants, and x ranges over a countably infinite 
set of variables: 



3. A Standard Presentation of Simple Typing 



types T 

standard terms t 
typing contexts T 



A I Ti T 2 

/ I a I x I t% t2 I Xx : T.t 
■ \T,x:T 
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T(x) = T 



r h x : T 



r h / : A => A 



r h a : A 



T\-t 1 :T 2 ^T 1 Tht 2 :T 2 
T\-t 1 t 2 :T 1 



r h Ax : Ti.t : T x T 2 



r, x : Ti h i : T 2 



Figure 1: Type-computation rules for STLC with selected constants 



E[{Xx : T.t) t 1 ] ->■ E[[t'/x]t] 



values v 
evaluation contexts E 



\x : T.t | a | / 

* | t) | (t E) | Ax : T. E 



E[f a] -+ £[a] 



Figure 2: Small-step reduction semantics for STLC 



We will write Types for the set of all types. We assume standard additional conventions 
and notations, such as [t/x]t' for the capture-avoiding substitution of t for x in t', and E[t] 
for grafting a term into an evaluation context. Figure [T] defines a standard type system for 
STLC. The judgments derived by the rules in the figure are of the form r h t : T, which 
can be viewed as deterministically computing a type T as output, given a term t and a 
typing context T as inputs. In the topmost leftmost rule of the Figure, we use the notation 
r(x) = T to mean that there is a binding x : T in T. We assume there is at most one such 
binding in T, renaming bound variables as necessary to ensure this. A standard small-step 
reduction semantics, for unrestricted /3-reduction, is defined using the rules of Figure EJ 
Following standard usage, terms of the form (Xx : T.t) t' or / a are called redexes. An 
example of a concrete reduction is (with redexes underlined): 



3.2. Basic Meta-theory. The main theorem relating the reduction relation — > and typing 
is type preservation, which states the following, either for unrestricted /3-reduction — > or 
for some restriction of — > (as we will consider below): 



The standard proof method is to proceed by induction on the structure of the typing 
derivation, with case analysis on the reduction derivation (cf. Chapters 8 and 9 of [17J). 
A separate induction is required to prove a substitution lemma, needed critically for type 
preservation for /3-reduction steps: 



For call-by- value programming languages, one also typically proves progress, formulated 
in terms of values: 

(■ h t : T A t t^) => t € values 
Here, the notation t means Vt'. —>(t—} t'); i.e., t is a normal form. Normal forms which 
are not values are called stuck terms. An example is / /. Combining type preservation and 



(Ax : (A ->■ A).x (x a)) /->/(/ a) — s> / a —> a 



(r h t : T A t ->• t') r h t' : T 



Tht:T A r, x : T h t' : T' Th [t/x]t' : T' 
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types T ::= A \ T\ =4> T2 

standard terms t ::= x \ Xx : T.t \ t t' \ a \ f 

mixed terms m ::= x \ Xx : T. m \ m m! \ a \ f | 

A I T => m 
standard values v ::= Xx : T.t \ a \ f 
mixed values u ::= Ax : T.m \ T=>m\A\a\f 

Figure 3: Syntax for STLC using mixed terms 



£ c [/a] ^ c # c [a] u ^ £ c [(Ax : T.m) u] ^ c S c [[«/a:]m] 

W) TTTa \ /i " rr / / 1 1 H/ 3 ) 



K[/a] ^ 6 £7 [o] £ a [(Ax :T.m) m'] ^ b E a [[m'/x]m 



£ Q [(T^m)T] ^ a £7 a [m] ^ £ a [Ax:T.m] ^ a £ a [T^[T/x]m 

a (/) ttti — ; — Er-nrr a ( a ) 



£ a [A=>A] w/ E a [a] ^ a E a [A] 



call-by-value evaluation contexts E c ::= * | (E c m) \ (u E c ) 

unrestricted evaluation contexts E a ::= * | {E a m) \ (m E a ) \ Xx : T. E a \ T =>• E a 

Figure 4: Concrete call-by- value reduction (— > c )> concrete full /3-reduction (—>&), and ab- 
stract reduction (— > a ) for STLC 



progress allows us to prove type safety [24J. This property states that the normal forms 
of closed well-typed terms are values, not stuck terms, and in our setting can be stated: 

(• h t : T A t ^* t! />) 3v. t' = v 

This is proved by induction on the length of the reduction sequence from t to t' . As already 
noted, without constants (/ and a here), this result is not so interesting for STLC, since it 
follows already by simpler reasoning: reduction cannot introduce new free variables, so t' 
must be closed; and it is then easy to prove that closed normal forms are A-abstractions, 
and hence values by definition. 

4. Simple Typing as Abstract Reduction 

In this section, we see how to view a type-computation (also called type-synthesis) system 
for STLC as an abstract operational semantics. We view function types T\ => T2 as abstract 
functions from T\ to T2, and allow these to be applied to arguments. When T\ => T2 is 
applied to the abstract term T±, an abstract /3-reduction step is possible, simulating concrete 
/3-reduction for any function of type T\ =>■ T2 applied to an argument of type T\. Thus, we 
will see abstract reduction as truly an abstraction of the usual reduction, which we thus 
view, in contrast, as concrete. 
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To view typing as an abstract form of reduction, we use mixed terms, denned in Fig- 
ure [3j Types like T\ =>■ T 2 will serve as abstractions of A-abstractions. For our develop- 
ment below, we are going to consider both unrestricted /3-reduction, and also call-by-value 
/3-reduction, a common restriction implemented in practical functional programming lan- 
guages like OCaml. Figure H] gives rules for concrete call-by-value reduction (— > c ), concrete 
full /3-reduction (—>&), and abstract reduction (— > a ). As above, we will refer to any term of 
the form displayed in context on the left hand side of the conclusion of a rule as a redex. We 
denote the union of these reduction relations as — > ca . The definition of call- by- value evalua- 
tion contexts E c enforces left-to-right evaluation order in a standard way, while unrestricted 
evaluation contexts E a make abstract reduction and full /3-reduction non-deterministic: re- 
duction is allowed anywhere inside a term. This is different from the approach followed 
by Kuan et al., where abstract and concrete reduction are both deterministic. Here is an 
example of reduction using the abstract operational semantics: 

Ax : (A A). Xy : A. {x (x y)) -+ a 

Xx : (A A). A (x (x A)) -> a 

(A=>A) A =>{(A=> A) ((A A) A)) ^ a 

(A A) A => ((A=> A) A) 

(A=> A) A => A Aa 

The final result is a type T, which does not reduce (as noted below). Indeed, using the 
standard typing rules of Section 13. lj, we can prove that the starting term of this reduction 
has that type T, in the empty typing context. Abstract reduction to a type plays the role 
of typing above. 

Lemma 4.1. For all types T, we have T -/} a . 

Proof. This follows by induction on T and inspection of the rules for — >- . □ 

If we look back at our standard typing rules (Figure [1]), we can now see them as 
essentially big-step abstract operational rules. Recall that big-step call-by-value operational 
semantics for STLC includes this rule (as well as several others which we elide): 

h Jj. Xx : T.t[ t 2 Jj t' 2 [t'z/x]^ Jj t' 

h t 2 I f 

In our setting, big-step call-by-value semantics would be seen as a concrete big-step re- 
duction, which we might denote JJ- C . The abstract version of this rule, where we abstract 
A-abstractions by arrow- types, is 

h h JJ-a T' 

If we drop the typing context from the standard typing rule for applications (in Figure [T]) , 
we obtain essentially the same rule. 

The standard approach to proving type preservation relates a small-step concrete oper- 
ational semantics with a big-step abstract operational semantics (i.e., the standard typing 
relation). We find it both more elegant, and arguably more informative to relate abstract 
and concrete small-step relations, as we will do in Section [6] below. 
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4.1. Rewriting Properties of Abstract Reduction. In this subsection, we study the 
properties of abstract reduction from the perspective of the theory of abstract reduction 
systems (ARSs). From this point of view, abstract reduction is very well behaved: it is a 
convergent ARS, as the following two theorems show. 

Theorem 4.2 (Termination of Abstract Reduction). The relation — )> a is terminating. 

Proof. We recursively define a natural-number measure /x(m) which can be confirmed to 
reduce from m to m! whenever m —^ a ml: 

p(x) = 1 

n(\x : T.m) = 1 + fj,(m) 

[i(m m) = 1 + fi(m) + fi(m ) 

fi(a) = 1 

Kf) = 1 
M (A) = 
fi(T => m) = fi(m) 

□ 

Theorem 4.3. The relation — > a is confluent. 

Proof. In fact, we will prove — >- a has the diamond property (and hence is confluent). Suppose 
m — > a mi and m — > a m-i. No critical overlap is possible between these steps, because none 
of the redexes in the a-rules of Figure H] (such as (T => m) T in the a((3) rule) can critically 
overlap another such redex. If the positions of the redexes in the terms are parallel, then 
(as usual) we can join mi and m 2 by applying to each the reduction required to obtain the 
other. Finally, we must consider the case of non-critical overlap (where the position of one 
redex in m is a prefix of the other position). We can also join m\ and 777,2 in this case by 
applying the reduction to m% which was used in m — > a m^-i, because abstract reduction 
cannot duplicate or delete an o-redex. The only duplication of any subterm in the abstract 
reduction rules of Figure H] is of the type T in a(A). The only deletion possible is of the 
type T in a(/3). Since types cannot contain redexes, there is no duplication or deletion of 
redexes. This means that if the position of the first redex is a prefix of the second (say), 
then there is exactly one descendant (see Section 4.2 of [22]) of the second redex in mi, and 
this can be reduced in one step to join m\ with the reduct of 7712 obtained by reducing the 
first redex. So every aa-peak can be completed with one joining step on each side of the 
diagram. This gives the diamond property (and thus confluence for — > a ). □ 

4.2. Relation with Standard Typing. In this subsection, we prove the following theo- 
rem, which relates our notion of typing with the standard one. The proof begins after the 
statement of some simple auxiliary lemmas, whose proofs are routine and omitted. The 
proof of the right-to-left direction of the implication will take advantage of the fact that 
abstract reduction is convergent, as proved in the previous subsection. 

Theorem 4.4. For standard terms t, a typing judgment x\ : Ti, • • • ,x n : T n ht:T holds 
iff [Ti/xi,-- - ,T n /x n ]t^* a T. 

Lemma 4.5. If h -+* T , then h t 2 -)•* T t 2 . 
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Lemma 4.6. If t 2 ^ k a T , then ti t 2 h T. 
Lemma 4.7. If t^ k T' , then T => i — T T". 

Proof of Theorem \4-4\ left-to-right. Suppose xi : T%, ■ ■ ■ ,x n : T n \- t : T '. We will now prove 
[T%/xi, ■ ■ ■ ,T n /x n ]t — T by induction on the structure of the typing derivation of t. To 
simplify the writing of the proof, we will use the following notation: 

1 — x\ . T\ , • • • , Xji . T n 
■Tsnfe — Pl/^1)""" ,T n /x n ~\ 

Base Case: 

r(x) = t 

r h x : T 

There must be some i € {1, . . . , n} such that x = Xj and T = T{. So T su b x = Ti — >* Tj as 
required. 

Base Case: 

Thf:A=>A 

We indeed have / — > a (.A =4> A), as required. The case for a : A is similar. 
Case: 

r h ti : T 2 =» Tx r h t 2 : T 2 
T h ti t 2 : Tt 

By the induction hypotheses for the derivations given for the two premises of this rule, we 
have: 

F su b h — >* a T 2 =>• T\ 

^sub t 2 ^2 

Our goal now is to construct the reduction sequence: 

r sub (ti t 2 ) ->S (T 2 => T^Tsub t 2 ->* (T 2 =► Ti)T 2 ^ a Tx 

To construct this sequence, it is sufficient to apply transitivity of — >* and Lemmas 14.51 
and EM 

Case: 

T, x : T h t : T' 
T h Xx:T.t:T^T' 
By the induction hypothesis on the premise of this rule, we have: 

r sub [t/x] t ->* a r 

Now we need to show that 

F sub (Xx:T.t) ->* (T^T') 

By applying one a (A) step and Lemma 14771 we get: 

T sub (Ax : T. t) ^ a (T =► r su6 [T/x] i) ->* (T T') 

This requires the fact that T su b [T/x] = [T/x]T su b, which holds because x dom(T su b) 
since we may rename x to avoid this, and because T contains no term variables and hence 
is unaffected by applying T su b. 

□ 
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Proof of Theorem \4-4\ right-to-left. Since abstract reduction is convergent (Theorems 14.21 
and 14. 3p , we may assume that redexes in the reduction sequence to T are always reduced 
in leftmost order. Note that convergence is sufficient to justify this assumption, as T is a 
normal form, and hence any strategy is guaranteed to reduce the starting term to T in a 
finite number of steps. This assumption will simplify some reasoning below. We assume 
[Ti/xi, • • • , T n /x n ]t — y* T and prove x\ : T\, ■ ■ ■ , x n : T n h t : T by induction on the number 
n of leftmost — > a steps in the reduction to T. 

Base Case: there are no — y a steps. This means that our term t cannot be reduced 

^sub t — T 

In this case, t must be a variable (or else substitution could not result in a type T). So, 
t = x for some variable x, where T(x) = T. Then we get: 

r(x) = t 

r h x : T 

Step C ase: there is at least one — y a step. We proceed by case splitting on the form of t. 
Case: 

^sub % 

This case cannot occur, since either x dom(T su b), in which case we cannot have x — >•* T 
for any type T; or else x € dom(T su i,), and then T su b x = T. We cannot have a — > a step in 
that case, because types are normal forms for abstract reduction (Lemma 14. ip . 
Case: 

^sub f 

The only possible step is / — > a A A, and we indeed have T h / : A A. The case for 

T su b a is similar. 

Case: 

In this case, the reduction sequence must be of the following form, for some mixed term t' 
and type T2, and some natural numbers k\ and k2- 

Tsub (ti t 2 ) ((T 2 =► T) t 2 ) (T 2 => T) T 2 ^ a T 

where 

1- ^sub h -^a 1 T2 =3- T 
2. T su b h ~^a 2 T 2 

We are justified in assuming this, because there must be some first position in the reduction 
sequence from t\ i 2 to T where a descendant of t\ t 2 is reduced. That descendant here is 
(T 2 => T) T 2 . In the reduction sequence prior to that point, we are assuming (as noted at 
the start of the proof) that steps occur in leftmost order, so the t\ steps come first, and 
then the t 2 ones. Now we can apply the induction hypothesis to (1) and (2), which each 
have shorter length than the original reduction sequence. This gives us the premises of the 
following inference, which suffices to complete this case: 

T h h : T 2 T T h t 2 : T 2 
T h h t 2 : T 



10 



STUMP, ZANTEMA, KIMMELL, EL HAJ OMAR 



Case: 

T sub {\x:T'.t') 

In this case, we may assume the reduction sequence is of the following form, for some T": 
T sub (Xx : T'.t') ^ a (T' [T'/x]T sub t') (T f T") 

where 

[T'/x]T sub t' -+Z T" 

This is because Xx : T'. if is itself an abstract redex, and since we are assuming our reduction 
is in leftmost, it must be reduced immediately. Now we can apply the induction hypothesis 
on [T'/x]F sub t' — s>* T" and get the premise of the following inference, which suffices to 
complete this case: 

T,x:T' ht' : T" 
Th Xx: T' . t' :T' =$> T" 

□ 



5. Generic Theorems for Preservation and Combined Confluence 

In this section, we collect some abstract properties for — > a and — > b , from which type preser- 
vation and confluence of — > ab can be concluded. In subsequent sections we will instantiate 
these theorems with abstract and concrete reduction relations. 

For the first theorem, recall that in our setting — > a computes the type of a term, or 
else could reach a stuck term like (A =4> A) {A A) which does not correspond to a type. 
We want to speak about reductions that lead to types, so we need to phrase the following 
theorem in terms of some set S, which we will instantiate later with a set of types. In 
condition (3) of the theorem, we interpose Id<_*(s) to restrict peaks to those objects which 
a-r educe to an object in S. 

Theorem 5.1. Assume 

(1) — s> a (S) = (that is, S is a set of objects in normal form with respect to — > a ). 

(2) — > a is confluent. 

(3) <— a -Id<_*rgy -^- b C (—>•;, U —>■„)■ ^— * a \ that is, for every m such that there exists 
T € S with m — >■* T, and every m' and m" with m — > a m! and m — > b m", there 
exists a m!" such that m" — >* a m'" and either m! -^- b m!" or m' — >* a m'" . 

(4) every normal form with respect to — > a is also a normal form with respect to — > b . 
Then if T G S and T ^— * m -> 6 m', we have m! ->•* T. 

Proof. Let m — >■* T and m —> b m', we have to prove that m! — >* T. We do this by induction 
on the number n of steps in m — T. In case n = we have m = T. By (1), T is a normal 
form with respect to — > a , which is a normal form with respect to — > b due to (4). So m -^- b m' 
is not possible, and the claim holds trivially. 

For the induction step assume m — > a mi for which mi T. Applying (3) now 

yields 7713 such that m! — )■* 777,3 and either m\ -^ b 7773 or m\ — >* 7773. In case mi — > b 7773 
we apply the induction hypothesis on mi — >™~ l T and conclude m' — >* a 7773 -^-* T. In case 
777-1 m 3 we a PPly confluence of — > a (2) by which T and 7773 have a common — ^ a -reduct. 
As T is a normal form with respect to — > a by (1), we conclude m' — >* 7773 T, concluding 
the proof. □ 
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Lemma 5.2. Suppose — > a and — >b are binary relations such that 

(1) — > a is confluent, and 

(2) ^ a -^ b Q U 
Then we also have 

Proof. Assume t — >™ u and t — >t v; we have to find w such that u — ^ U — >* w and v — >* to. 
We do this by induction on n. For n = we choose w = v. For n > write i — ^ a t' — u. 
By (2) an element exists such that v — >* v' and either t' — >* v' or t' — If i' — we 
apply (1) yielding w satisfying u — ^* w and v' — >* w and we are done. If t' —>b then we 
apply the induction hypothesis yielding u(— >•& U — >a) w an d w - D 

Theorem 5.3. Let — > a and — >•{, be binary relations (recall from Section [2] that we write 
— >ba for — > a U —>•{,). Assume 

(1) — > a is terminating, 

(2) — > a is confluent, 

(3) ^ a • ^ b Q (-*b U ->•*)• and 

(4) every normal form with respect to — > a is also a normal form with respect to — >b- 
Then — >ba is confluent. 

Proof. By Lemma 15.21 we have: 

(so (-> 6 u 

Now let t — »£ a it and i — >| a v; for proving the theorem we have to prove that w exists 
satisfying u — >■? w and u — >-£ a it?. Choose w to be a — >- a -normal form of t, which exists due 
to (1). Assume t — >^ a u; we will prove that u — >* w by induction on n. For n = this 
follows from t — >* w. For n > let t — ^-j" 1 u' — >ba u - From the induction hypothesis we 
conclude u' — w. Combining (2) and (3') yields 

So since it; «— * u' — >b a u we conclude that w' exists satisfying w — w' or w — >* w' , and 
u — >* a w' . Since w is not only a — 7> a -normal form, but also a — ^-normal form according to 
(4), we conclude w' = w. Hence u — w' = w, concluding the proof of u — >* w. Applying 
the same argument on t -^-* ba v we conclude v — >* w, concluding the proof of the theorem. □ 

One may wonder whether the requirement of termination is essential for Theorem 15.31 
It is: on the set {1,2,3} the relations — > a = {(1,1)} and — >b= {(1, 2), (1, 3)} satisfy all 
requirements of Theorem 15.31 while — >b a is not confluent. 

One may wonder whether in Theorem 15 . 31 the condition (4) on normal forms is essential. 
It is, even if not only — > a is terminating and confluent but also — >■&, as is shown by the 
following example of relations on 10 elements, in which — > a steps are denoted by dashed 
arrows and — >b steps are denoted by solid arrows. 
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In this example there are two convertible normal forms, so the union is not confluent, 
and both — > a and — > b are both confluent and terminating; — > a is even deterministic. Also 
condition (3) of Theorem 15.31 is easily checked, even stronger: <— a ■ — >■& C — y ba ■ <— =. This 
example was found using a SAT solver. A direct encoding of the example to be looked for 
run out of resources. However, by adding a symmetry requirement, was observed on the 
first example, the SAT solver yielded a satisfying assignment that could be interpreted as 
a valid example. The example given above was obtained from this after removing some 
redundant arrows. Independently, Bertram Felgenhauer found an example that could be 
simplified to exactly the same example as given here. This remarkable example was the 
starting point of developing the tool CARPA by which such examples can be found fully 
automatically. 

6. Type Preservation and Combined Confluence for STLC 

We now prove type preservation for full /3-reduction (the — > b relation of Section H]), based 
on the rewriting formulation. This is in contrast to the results of Kuan et al., who obtain 
type preservation for the rewriting approach as a corollary of type preservation based on 
a standard big-step notion of typing (and the relation of that notion of typing with the 
small-step notion). 

Definition 6.1 (Typability). A mixed term m is called typable if m — >* T for some type 
T. 

If we translate our standard statement of type preservation (at the beginning of Section \3.2\i 
so that it uses abstract reduction instead of the usual typing relation, we have the following. 

Theorem 6.2 (Type Preservation). Let m, m' be mixed terms and T be a type. If m — T 
and m — >•{, m', then m! — >■* T. 

The proof of this theorem is given by applying Theorem 15. II we need to check its conditions 
(1), (2), (3) and (4). We instantiate the set S in condition (1) with the set of types T, which 
are normal forms by Lemma 14.11 Condition (2) follows from Lemma 14.31 Condition (4) 
is immediate from the definitions of — > a and —>•{,: if — > b applies on a term t, then t either 
contains fa via rule b(f-/3) by which — > a applies via a(f), or t contains Ax : T.m] via rule 
b/3) by which — > a applies via a(A). So it remains to check condition (3), which follows from 
the following lemma. 

Lemma 6.3. Let mo be a typable mixed term and let mi,m2 be mixed terms such that 
mo ~~ >a m i and m o —>b m 2- Then a mixed term 777,3 exists such that 777,2 m 3 an d either 
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mi — >-{, 7773 or mi — >■* 7713. Furthermore, if the step from mo to m2 is a call- by- value step, 
so is the step from mi to 7773. 

Proof. We distinguish the ways the redexes in mo are related. 

If the redexes of mo — > a mi and mo — >b m 2 are parallel, then WI3 can be chosen such 
that mi — WI3 and 7772 — > a ^3 (preserving whether or not the 6-step is call- by- value) . 

If the redex of mo — > a tu\ is above the redex of mo — >b m 2, then the — > a step is either 
of the type a(/3) or a(A), in which the — >b acts on the mixed term m as it occurs in the rule 
a(/3) or a(A). As this m is not duplicated, we get 7713 such that mi — >{, 7713 and mi — s> a m3 
(and the step mo — >■& 7712 is not call- by- value) . 

If the redex of mo — s> a m i is below the redex of mo — >b r n2, then some further case 
analysis is required. 

If there is no overlap, then 7713 can be chosen such that mi — >-& 7713 (preserving being 
call- by- value) and 771,2 — >* a 7773. 

If there is overlap and mo — > a m i is an application of a(f) or a(a), then mo = E a [f a] 
and 777.2 = -Ecilo]) and 7773 can be chosen to be .E a [A], satisfying mi — \\ 7773 and 777,2 — >a ^3. 

The remaining case is illustrated by the following picture: 



mo = E a [(Xx : T.m 



since m — >* a T 
a 



E a [{T [T/x]m) T] 




mi = E a [{T =4> [T/x]m) m'] m% = E a [[m' / x]m] 



since m' — >* T 



E a [[T/x}m] 



The picture already shows that by choosing 7773 = E a [[T/x]m] we obtain mi — >* 7773 
and m2 — >* a 7773 if we can prove m' —¥* T. For doing so we use the assumption that mo 
is typable: there exists a type T' such that mo = E a [(Xx : T.m) m'\ — >* T' . Since T' is 
a type it does not contain a A symbol, so somewhere in this reduction the A in Ax : T.m 
should be removed. By inspecting the rules we see that this can only be done by the rule 
a(A) by which \x : T.— is replaced by T => — . Next the (invisible) application symbol in 
(Ax : T.m) m! should be removed. This can only be done by the rule a(/3). This rule is only 
applicable if first m' is rewritten by — > a steps to T, indeed proving m' — >* T. 

□ 

Theorem 6.4. The relation (Id^* (Types)' ~^a) U {Id<_* a (T y pes)' ~^b) is confluent. 

Proof. We will apply Theorem 15.31 For this, we need to check properties (1) to (4) for 
the particular relations Id^*(T ypes y — > a and Id^^ypes)' ~^b- Property (2) follows from 
Theorem 14.31 and the fact that Id<_*(T yP es) is the identity relation. All peaks must be of 
the form mi ^— a m <— ^ m — ^ m — > a m2, due to the composition with Id^*( Types y By 
Theorem 14.31 if mi ^— a m — > a 7772, then there exists 7773 such that mi — 7773 ^— a mi- 
Thus, any Id^*( Types y — > a peak mi ^— a m <— ^ m — > ic [ m — > a 7772 can be completed with 
fn\ —>id m i "73 ^— a ™2 ^id m '2- Likewise, By Theorem 14.21 — >„ is terminating, so 
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Id<_*( Types)' Q —>a is also terminating, proving property (1). Property (3) follows from 
Lemma 16.31 So it remains to prove Property (4). This is immediate from the definitions of 
—►a and — >b- if —>b applies on a term t, then t either contains fa via rule b(f-/3) by which 
—►a applies via a(/), or £ contains Xx : T.m via rule 6(/3) by which — > a applies via a(X). □ 

Corollary 6.5 (Confluence of Combined Reduction). Every typable mixed term is confluent 
with respect to the reduction relation — >t, a . 

Proof. Confluence of the set of typable mixed terms is equivalent to confluence of the relation 
Id<_*r Types)' ~^ba, which is easily seen to be equal to 

(M-J (Types)' -*a) U (Id^*( Types y — >•&) 

By Theorem 16.44 the latter relation is confluent. □ 

A form of typability is essential, since the relation — >{ ja is n °t confluent in general, as 
Kuan et al. note also in their setting. For instance, the non- typable term (Xx : A.x)(Xx : 
A.x) has two distinct normal forms 

(A A) (A => A) ^+ (Ax : A.x)(Xx : A.x) ->•& Xx : A.x -s> a (A A). 



7. Progress and Type Safety for STLC 

In this section, we complete the basic meta-theory for STLC by proving progress and type 
safety theorems for call- by- value reduction (the — > c relation of Section [4]). Lemmas 17.41 
and 17.51 are stated in a somewhat more general way, so that we can also use them to show 
type safety for the generalized form of typability we will consider in Section GO 



7.1. Quasi-Stuck Terms. We begin by inductively defining the set of quasi-stuck terms 
S, in Figure [5j Also, let us call a quasi-stuck term which is not a value stuck. The purpose 
of these definitions is to generalize a characterization of c-normal standard terms to mixed 
terms (Lemmas 17.11 and 17. 2\ proved next), in such a way that we can show that the set of 
quasi-stuck terms is closed under abstract reduction (Lemma 17.31 proved below). This will 
allow us to prove that typable quasi-stuck terms must be values (Lemma I7.5p . from which 
we easily obtain the desired main theorems of progress and type safety. 

Lemma 7.1. If m is quasi-stuck, then m -fr c . 

Proof. The proof is by an easy structural induction on m, using the definition of quasi- 
stuck. □ 



• Mixed values u are in S. 

• Terms of the form a s or A s are in S if s G S. 

• Terms of the form / s or (A A) s are in S if s € S and s is neither a nor A. 

• Terms of the form (Ax : T.m) s or (T => m) s are in S if s G S and s is not a mixed 
value. 

• Terms of the form s s' are in S if s, s' G S and s is not a mixed value. 

Figure 5: Inductive definition of the set S of quasi-stuck terms 
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Lemma 7.2. If standard term t is closed and t -/> c , then t is quasi-stuck. 

Proof. The proof is by structural induction on t. If t is a (standard) value it is quasi-stuck, 
and it cannot be a variable since t is closed. So suppose it is an application t\ t<i- Since 
t\ is closed, t\ cannot be a variable. We consider now the remaining possibilities. It could 
be that t\ is a and £2 is some other c-normal form. Then by the induction hypothesis, t<i 
is quasi-stuck, and t is, too, using the second clause above in the definition of quasi-stuck 
terms. Next, we could have the situation where t\ is /, and t% is any c-normal form except 
a. Then by the induction hypothesis, t<i is quasi-stuck, and t is, too, using the third clause 
in the definition of quasi-stuck terms. Next, we could have that t\ is a A-abstraction, and 
t2 is any c-normal form except a standard value. Then by the induction hypothesis, rj 2 is 
quasi-stuck, and it cannot be a mixed value other than a standard value, because ti is a 
standard term. So t is quasi-stuck, too, using the fourth clause . Finally, if t\ is some 
application, then by the induction hypothesis, t\ and £2 are both quasi-stuck. Since t\ is 
not a value, the fifth clause above gives us that t is quasi-stuck. □ 

Lemma 7.3 (Reduction of Quasi-Stuck Terms). If m is quasi-stuck, and m — > a m', then 
m! is also quasi-stuck. Furthermore, if m is a mixed value, then so is m!\ and if m is not a 
mixed value, then neither is m! . 

Proof. The proof is by structural induction on m. Suppose m is a mixed value. Then it is 
easy to see by inspection of the reduction rules that m! must be, too. So suppose m is of the 
form a s or A s with s G S. Then either the assumed reduction is of the form a s —> a A s, 
or else of the form a s — > a a m" or A s — > a A m". In the former case, the resulting term is 
a quasi-stuck non-value. In the latter, we may apply the induction hypothesis to conclude 
that m" is quasi-stuck, and hence a m" (or A m") is a quasi-stuck non-value. 

If m is of the form / s or (A =>■ A) s, where s £ S and s is not a or A, then either the 
assumed reduction is of the form / s — > a (A A) s or else / s — > a f m" or {A =^> A) s — > a 
(A A) m" . In the former case, the resulting term is a quasi-stuck non-value, by the third 
clause of the definition of quasi-stuck terms above. In the latter, if s is not a value, we again 
use our induction hypothesis to conclude that m" is a quasi-stuck non-value, and hence not 
a or A. So m! is a quasi-stuck non- value, too. If s is a value, then so is m", and reduction 
cannot turn a value other than a into a or A. So again, m" has the required form to be a 
quasi-stuck non-value. 

Suppose m is of the form (\x : T.m") s or (T =>■ m") s, with s G S and s not a mixed 
value. Then either the assumed reduction is of the form (Ax : T.m") s — » a (T [T/x]m") s; 
or else of the form (Xx : T.m") s — > a (Ax : T.m"') s or (T => m") s — » a (T =^> m'") s; or else 
of the form (Ax : T.m") s — > a (Ax : T.m") m!" or (T m") s — >- a (T m") m w . In the 
first two cases, the resulting term still has the required form to be a quasi-stuck non-value. 
In the third case, we know s is not a value by the definition of quasi-stuck terms, so we 
may use our induction hypothesis to conclude that m!" is a quasi-stuck non-value, which is 
sufficient to conclude that the resulting term is again stuck. 

Finally, suppose m is of the form m\ m2, where m\ is not a mixed value. Then the 
assumed reduction must be of the form either m\ 777,2 m'\ ^2 or else m\ 777-2 fn\ m 2 , 
for some m^ with 777,1 fn'n or else some m' 2 with 777 2 — > a m 2- This is because, by 
inspection of the reduction rules, 777 itself cannot be a redex if m\ is not a mixed value. In 
the former case, we may apply the induction hypothesis to conclude that 777^ is a quasi- 
stuck non-value, and hence so is m' . In the latter, we may apply the induction hypothesis 
to conclude that m' 2 is quasi-stuck, and hence so is m'. □ 
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Lemma 7.4. If m is quasi-stuck (including the case where m is a closed mixed value), and 
m — T, then m — T. 

Proof. The proof is by induction on the length of the reduction sequence from m to T. If 
this length is 0, the result obviously holds. So suppose we have th — y ca mf — y* a T . Since 
m is quasi-stuck, we have m -fr c by Lemma 17.11 So it must be the case that m — > a mf . 
Since m! is quasi-stuck by Lemma [731 we ma y apply our induction hypothesis to conclude 
m! — >* T, and hence m — >* T. □ 

Lemma 7.5. Suppose m is a closed quasi-stuck term. Suppose further that m — >* a T. 
Then m is a mixed value. 

Proof. The proof is similar to the previous one, and proceeds by induction on the length 
of the reduction sequence from m to T. If this length is 0, the result holds, since types 
are mixed values. So suppose we have m — > ca mf — >* a T. Since m is quasi-stuck, we have 
m Ac by Lemma 17.11 So it must be the case that m —)- a m! . We now consider cases on 
the form of m. If m is a mixed value the result holds. So suppose it is a non-value. Then 
by Lemma 17.31 mf must also be a quasi-stuck non- value, and we may apply the induction 
hypothesis to derive a contradiction. □ 



7.2. Concluding Progress and Type Safety. Armed with the concept of quasi-stuck 
terms and its associated lemmas, we can now obtain the main results of this section. 

Theorem 7.6 (Progress). If standard term t is closed, t — T, and t -fr c , then t is a 
(standard) value. 

Proof. By Lemma 17.21 and the assumption t -/$ c , we know t is quasi-stuck. Now since our 
assumption that t — >* T implies t — >* a T, we can apply Lemma 1731 to conclude that t is a 
mixed value (and hence a standard value, since t is a standard term). □ 

Theorem 7.7 (Type Safety). If standard term t is closed, t — >* T, and t — >* m -/^ c , then 
m is a standard value. 

Proof. The proof is by induction on the length of the reduction sequence from t to m. In 
the base case, we apply Theorems 17.61 since we have m = t -fr c in that case. For the 
step case, suppose we have t — > c m! — >* m -fr c . In this case, we can apply Theorem 16.21 
to conclude mf — >* T. It is easily proved by induction on the structure of call-by-value 
evaluation contexts E c that if we have t — > c mf, then mf is a standard term if . We may now 
apply the induction hypothesis, since we have t' — >* T and t' — > c m -ft c . □ 



8. Applying Automated Analysis Tools to Type Preservation 

In this section, we show how automated tools for analyzing term-rewriting systems can be 
applied to automate part of the proof of type preservation. We will consider a language, 
which we call Uniform-STC, that does not distinguish terms and types syntactically. Ad- 
vanced type systems like Pure Type Systems must often rely solely on the typing rules to 
distinguish terms and types (and kinds, superkinds, etc.) [S]. In Uniform-STC, we explore 
issues that arise in applying the rewriting approach to more advanced type systems. We 
must now implement kinding (i.e., type checking of types) as part of the abstract reduction 
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mixed terms t ::= S{ti,t2,t 3 ) \ K{t\,t 2 ) \ t\ t 2 \ t\ => t 2 \ A \ kind(t\, t 2 ) 

mixed values u ::= S(ti,t 2 ,ts) \ K(ti,t 2 ) \ A \ t\ => t 2 

concrete evaluation contexts E c ::= * | E c t \ u E c 

Figure 6: Uniform-STLC language syntax and evaluation contexts 



E c [S(ti,t 2 ,t 3 ) u u' u"} -> c E c [u u" (u 1 u")] 



E c [K{h,t 2 ) u u'} -> c E e [u] 

S{h,t 2 ,t 3 ) ^ a kind(t u kind(t 2 , kind(t 3 , (t x => t 2 => t 3 ) => (i x =>• t 2 ) => (t a t 3 )))) 
K{ti,t 2 ) —> a kind(ti, kind(t 2 , (ti =4> t 2 => ti))) 
(ti =^ t 2 ) t\ kind(ti,t 2 ) 
kind({ti t 2 ),t) — > a kind(ti, kind(t 2 ,t)) 
kind(A, t) — > a t 

Figure 7: Concrete and abstract reduction rules 

relation. We adopt a combinatory formulation so that the abstract reduction relation can 
be described by a first-order term-rewriting system. 

Figure [6] shows the syntax for the Uniform-STC language. There is a single syntactic 
category t for mixed terms and types, which include a base type A and simple function types. 
S{t\,t 2 , t 3 ) and K(t\,t 2 ) are the usual combinators, indexed by terms which determine their 
simple types. The kind construct for terms is used to implement kinding. The rules for 
concrete and abstract reduction are given in Figure [71 The concrete rules are just the 
standard ones for call-by-value reduction of combinator terms. For abstraction reduction, 
we are using first-order term-rewriting rules (unlike for previous systems). 

For STLC (Section [6|), abstract /3-redexes have the form (T => t) T. For Uniform-STC, 
since there is no syntactic distinction between terms and types, abstract /3-redexes take the 
form (t\ £2) ti, an d we must use kinding to ensure that t\ is a type. This is why the 
o(/3) rule introduces a kind-term. We also enforce kinding when abstracting simply typed 
combinators S(ti,t 2 ,t 3 ) and K(t\,t 2 ) to their types. The rules for kind-terms {a{k- =^) and 
a(k-A)) make sure that the first term is a type, and then reduce to the second term. 

Here, we define typability by value u to mean abstract reduction to u where u is 
kindable, which we define as kind(u, A) — >* A. This definition avoids the need to define 
types syntactically. 

Following the methodology embodied in Theorem 15.11 we must first prove the abstract 
reduction is confluent. In fact, it is convergent, and we can apply analysis tools to determine 
this, as shown in the next two theorems. 

Theorem 8.1. The term rewriting system — > a is terminating. 

Proof. The automated termination checker Aprove reports that the rewrite system for — > a 
is terminating, using a recursive path ordering □ 

Theorem 8.2. The term rewriting system — > a is confluent. 



18 



STUMP, ZANTEMA, KIMMELL, EL HAJ OMAR 



Proof. Abstract reduction for Uniform-STC does not have the diamond property due to the 
non-left-linear rule a(/3), where there could indeed be redexes in the expressions matching 
the repeated variable t\. By Theorem 18.11 however, we can apply Newman's Lemma to 
conclude confluence from local confluence. Local confluence follows because all the aa-peaks 
can be joined using either one a-step on either side as for STLC, or else using additional 
balancing steps if one of the rules applied is a((3). 

But even easier than this reasoning is applying an automated confluence checker: the 
ACP tool immediately reports that the abstract reduction relation is confluent [3]. □ 

The proofs of Theorems 18.11 and 18.21 demonstrate how the rewriting approach to typing 
benefits from recent advances in analysis tools for term rewriting: we can use termination 
and confluence checkers to analyze the abstract reduction relation — > a corresponding to 
typing. We expect this situation to recur for more advanced type systems, although some 
may provide new challenges for automated analysis tools (we give an example below). 

Lemma 8.3. <- a -I(k-*(sy Q He U ->*)• 

Proof. We distinguish the peaks originating at typable terms t. 

If <- a and -4 C steps are parallel - E' c [t] <- a E c [t] <- id E c [t] E c [t] -» c E c [t'] - the 
peak can be completed directly E' c [t] -> id E' c [t] — > c E' c [t'] «- a E c [t'] E c [t']. 

If the <— a and — > c steps overlap, there are two cases, corresponding to c{fi-K) and 
c(f3-S) reduction steps. We show the completion for c((3-K) peaks (omitting the — ^ steps 
to simplify the presentation); the argument for c(/3-S) peaks is similar. 

P. E c [u[(t t t')]) ^ a E c [(K(h,t 2 ) t t')} ^ a E c [t) 

L. E c [u[(t t t')]] ->* a E c [u[(t h t")}] ^ a E c [u[((t 2 => ti) t")}] ->* a 

E c [u[((t 2 t x ) t 2 )]] ^ a E c [kind{tx,Mnd{t 2 M))] ~>l E c [h] 
R. E c [t] ->* a E c [h] 

The — ?>*-steps are justified because the peak term (shown on line (P)) is typable by com- 
position with Id^rgy By confluence of abstract reduction, this implies that the sources 
of all the left steps are also typable. For each — >*-step, since abstract reduction cannot 
drop redexes (as all rules are non-erasing), we argue as for STLC that a descendant of the 
appropriate displayed kind-term or application must eventually be contracted, as otherwise, 
a stuck descendant of such would remain in the final term. Kindable terms cannot contain 
stuck applications or stuck kind-terms, because our abstract reduction rules are non-erasing. 
And contraction of those displayed kind-terms or applications requires the reductions used 
for the — >-*-steps, which are sufficient to complete the peak. □ 

Lemma 8.4. Every normal form with respect to — > a is also a normal form with respect to 
->b- 

The normal forms of — > a include A, t± t 2 where t± and t 2 are a-normal forms, 
(ti =>■ t 2 ) t'-y where t\ ^ t^, and kind{t\,t) where t\ is not generated by the grammar 
T ::= A\T => T. By inspection, E C [A] -fr c and E c \t x => t 2 ] -fr c . 

Theorem 8.5 (Type Preservation). Let m,m' be mixed terms and T be a term such that 
kind(T,t) -> a t. If m — >* a T and m — s> c m', then m' — >* a T. 

Proof. By application of Theorem 15.11 Condition (1) is satisfied by instantiating S by the 
set of terms {t\kind{t, t') — > a t}. Condition (2) follows by Theorem 18.21 Condition (3) by 
Lemma 18.31 condition (4) by Lemma 18.41 □ 
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Theorem 8.6. Every mixed typable term is confluent with respect to the reduction relation 

Proof. For proving that — >^ a is confluent for typable mixed terms we need to check properties 
(1) to (4) of Theorem 15,31 for the particular relations Id^»(gy — > a and Id^typy — > c . The 
composition of — > a and — >b with Id^*^ serves to ensure that we are only considering 
typable terms. 

Property (2) follows from Theorem 18.21 and the fact that Id<_*(T ype s) is the identity 
relation. All 1-step peaks of must be of the form m 4— m — >■ m, due to the composition 
with Id<_* (Types) ■ By Theorem 18.21 if mi <— a m — >- a m,2, then there exists m% such that 
mi — >* 1713 <— a 771,2. Thus, any Id<_*( Types y — > a peak mi ^— a m m — ^ m —>a TO2 can be 
completed with mi — ^ mi — > a m% <— a mi ^— j<j mi- By Theorem 18. 11 —)-^ is terminating, so 
Id<-*( Types)' Q is also terminating, proving property (1). Property (3) follows from 
Lemma 18.31 Property (4) follows from Lemma 18,41 □ 

As an aside, note that a natural modification of this problem is out of the range of 
ACP, version 0.20. Suppose we are trying to group kind-checking terms so that we can 
avoid duplicate kind checks for the same term. For this, we may wish to permute kind- 
terms, and pull them out of other term constructs. The following rules implement this idea, 
and can be neither proved confluent nor disproved by ACP, version 0.20. Just the first seven 
rules are also unsolvable by ACP. 
(VAR a b c A B C D) 
(RULES 

S(A,B,C) -> kind (A, kind (B, kind (C, 

arrow (arrow (arrow (A , arrow (B , C) ) , arrow ( A , B) ) , arrow (A,C))))) 
K(A,B) -> kind (A, kind (B, arrow (A, arrow (B, A)))) 
app(arrow(A,b) , A) -> kind(A,b) 
kind(base,a) -> a 

kind (arrow (A, B) , a) -> kind(A, kind(B, a)) 
kind(A,kind(A,a)) -> kind(A.a) 
kind ( A, kind (B, a)) -> kind (B, kind (A, a)) 
app(kind(A,b) , c) -> kind(A,app(b,c)) 
app(c,kind(A,b)) -> kind(A,app(c,b)) 
arrow (kind ( A, b) , c) -> kind (A, arrow (b,c)) 
arrow ( c, kind ( A, b)) -> kind(A,arrow(c,b)) 
kind(kind(a,b) , c) -> kind(a,kind(b,c)) 



9. Generalizing Nuprl's Direct Computation Rules 

Martin-Lof's Intuitionistic Type Theory (ITT), as formulated in |15j . is a system of four 
judgments presented with a rigorous but informal semantics. A typing judgment of the 
form a G A "means that a has a canonical object of the canonical type denoted by A as 
value" |151 page 174]. Here, Martin-L6f is making use of the concept of a term (of ITT) 
having a value, a concept he defines earlier in the paper. The authors of the Nuprl system 
realized that this semantics justifies more permissive typing rules than allowed by Martin- 
Lof's own formal systems [5] (see also Section 2.2 of [2j for a historical perspective). In 
particular, it justifies so-called direct computation rules, which turned out to be useful for 
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formal development with Nuprl: 

t -»* t' t' <£ T 
t € T 

Applying Theorem 14.41 we can view this rule from a rewriting perspective. We will use call- 
by-value reduction, as full /3-reduction would require additional technicalities that would 
not be illuminating (we would have to use parallel reduction and incorporate a proof of 
confluence of /3-reduction, in order to get preservation of generalized typing). 

t ^* f a ^* t 

In this section, we will take the idea of Nuprl's direct computation rules one step further, 
by adopting the following definition. 

Definition 9.1 (Generalized Typability). A mixed term m is called generalized typable 

if m -^* a T for some type T. 

This allows us to view (call-by-value versions of) Nuprl's direct computation rules as em- 
bodying a special case of generalized typability, namely — >* c ■ — >■*. We will see in this sec- 
tion that we can prove type preservation directly for generalized typing, using the rewriting 
approach. Note that generalized typability is not obviously decidable, since — >- ca is not 
terminating 

A simple example of generalized typability is given by the term (Ax : A. Xy : A.y) Xx : 
A.x x. Note that the argument term Ax : A.x x is not simply typable. This term has several 
ca-reduction sequences, including the following one: 

(Ax : A. Xy : A.y) Xx : A.x x — > a 
(Xx : A. (A A)) Xx : A.x x -> a 
(Ax :A. (A=> A)) (A (A A)) ^ c 
A^ A 

Because this term ca-reduces to a type, the generalized type-safety property we will obtain 
in this section tells us that the c-normal form of this term, if such exists, is a value. This 
can, of course, be confirmed for this case, where the c-normal form is just Xy : A.y. Notice 
that this example also shows that — > ca is not confluent, as we can also reduce it to a stuck 
term in this way: 

(Ax : A. Xy : A.y) Xx : A.x x — > a 
(Ax : A. (A A)) Xx : A.x x -> a 
(Ax : A. (A => A)) (A => (A A)) ^ a 
(A^(A^ A)) (A (A A)) A- 

Theorem 9.2 (Generalized Type Preservation for Call-By- Value Reduction). If m — >* a T 
and m m' , then m! — >* a T. 

Proof. We cannot conveniently apply Theorem 15. H because the natural instantiation would 
be to take — >- ca for the relation — > a in the theorem - but then we would have to prove 
confluence of — > ca , which does not hold (as shown just above). So instead we give a direct 
proof, by induction on the length of the assumed ac-sequence from m to T. The sequence 
cannot be of length 0, since m cannot be a type (since it c-reduces, as no type can). 

For the step case: suppose the assumed ca-reduction is of the form m — s> a m" — >-* a T. 
We now consider cases for the form of overlap of the step m — > a m" and m —> c m' ■ Suppose 
the c-step is E c [f a] — s> c E c [a\. If the a-step is in E c , that means m" = E' c [f a], where the 
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hole in E c is at the same position as in E' c . We can just permute these steps, to obtain 
E c [a] — > a E' c [a] and E' c [f a] — > c E' c [a\. Now the induction hypothesis can be applied with 
E' c [f a] (i.e., m") as the peak term, and E' c [a] as the term to which it c-steps. 

So suppose the a-step is in the displayed f a of E c [f a}. Then before the reduction 
sequence from m" to T can perform a c-step, it must first reduce the residual of / a to A, 
since that residual occurs in a c-reduction position. So the reduction sequence from m" to 
T must look like the following, where the hole in E c and in E' c are at the same position: 



By performing the a-reductions which transformed E c to E' c , we can reduce E c [a] to 
and then we are done, since we then have m! — >* E' C [A] — >* a T. 

We now must consider the case where the c-step is E c [(Xx : T' .mi) u] — >- c £ c [[u/i]mi]. 
Again, if the a-step is in E c , we can permute steps and apply the induction hypothesis. If 
the a-step is in mi or in u, we can also permute the steps, though if the reduction is in u 
(say u — > a u'), we will in general have £ c [[«/i]mi] — >* E c [[u' /x]mi], since x need not appear 
exactly once in m%. Nevertheless, we can still apply the induction hypothesis with m" as 
the peak term, since we will only ever produce one c-step from m" by permuting steps. 
Finally, suppose the a-step is E c [(Xx : T' .mi) u] — > a E C [(T' [T'/x]mi) u]. By similar 
reasoning as in the previous case, the ca-reduction sequence from E C [(T' => [T' /x]mi) u] 
to T may contain a-steps transforming E c to some E' c , but it cannot take a c-step until it 
has reduced the displayed (T" =>• [T'/x]mi) u to [T'/xjm^, with u — >* T' and mi — >* m^. 
This is because that displayed term is in c-reduction position and neither a value nor a 
redex. We can then duplicate any a-steps taken in E c to a-reduce B c [[t(/s;]mi] (i.e., m') to 
E' C [[T' / x\m']\. This term then ac-reduces to T, and we are done. □ 

Theorem 9.3 (Generalized Progress). If standard term t is closed, t — >-* a T, and t -/± c , 
then t is a (standard) value. 

Proof. As for Theorem 17.61 we obtain this result by applying Lemmas 17.21 and 17.51 Q 

Theorem 9.4 (Generalized Type Safety). If standard term t is closed, t — >* ca T, and 
t -^-* c t' -ftc, then t' is a (standard) value. 

Proof. This is a direct corollary of Theorems 19.21 and 19.31 □ 



In this Section, we will see how the rewriting approach to typing impacts a standard ap- 
proach to proving that every typable (closed) standard term of the simply typed lambda 
calculus has a 6-normal form. We will work with a slightly different presentation of STLC 
than we saw in Section HI in particular dispensing with the term constants a and /. We 
assume a non-empty set of type constants A. The syntax we are using in this section is: 



The abstract and concrete reduction relations are then defined as follows, where we use 
mixed terms m as contexts (sometimes using meta- variable m in this case), writing m[m'] 
to denote the replacement of the unique occurrence of a special variable * in m by m'. 



m" -+1 E' C [A] < a T 



10. A Rewriting Approach to Normalization for STLC 



types T 

mixed terms m 
standard terms t 



= A\Ti^T 2 

= x | Xx : T. m \ m m' \ A \ T m 
= x \ Xx : T.t \ t t' 
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m[(Xx : T.m) m'\ — rh\\m! / x\m\ 
m[(T m) T] ^ a m[m] 



m[Xx : T.m] — s> a m[T =>- [T/x]m] 



a(A) 



10.1. Interpretation of Mixed Terms. The proof in this section is based on ideas from 
standard proofs, such as Girard's proof in the book Proofs and Types [32] • The technical 
details evolve differently, however, since we are using the rewriting approach to typing. 
Similarly to Girard's proof, we are going to define an interpretation of open types as sets 
of standard terms. Here, we need to generalize this to give interpretations [m]^ of mixed 
terms m, where (as standard) <j) assigns interpretations to the free variables of m. The most 
enlightening observation that will come from this is Theorem 110.61 (Abstraction Theorem) , 
which says that interpretation is monotonic with respect to abstract reduction: if m — s> a m', 
then \m\ ( f ) C [m'J^. If one views a set as abstracting its elements, and if one considers a 
mixed term as a code for the set of terms which is its interpretation, then the Abstraction 
Theorem shows that more abstract codes have more abstract interpretations. This is an 
elegant perspective that arises - from the standard Tait-Girard method - only by taking 
a small-step view of typing; existing proofs for normalization in the literature do not have 
any theorem which corresponds (in any obvious way) to the Abstraction Theorem. 

So now to begin the development, let WN be the set of standard terms which are weakly 
normalizing with respect to — >b (that is, terms t such that there exists some t' such that 
t — ^ t' 7^6). Also, if — > is any binary relation on standard terms and R any set of standard 
terms, we will write — > (R) for the image of R under — > (that is, {t 1 \ 3t £ R. t — > t'}). 

We first define 1Z to be the set of all sets R of standard terms satisfying the following 
conditions: 

(1) <r-* b (i?) C R 

(2) R + 

(3) R C WN 

The first condition ensures that t' — >l t and t G R imply t' € R. An assumption like 
this is often made about such sets of terms. We will call elements of 7Z reductibility sets. 
Much work has been devoted to comparing different conditions for families of sets in the 
context of the interpretation of types (see, e.g., [HI HO]). Our focus here is not so much 
on the specific conditions on the interpretations of mixed terms, as on how interpretations 
of terms in the abstract reduction relation are related. The conditions we adopt here are 
simple and sufficient for weak normalization of closed terms (cf. also Chapter 12 of |17j). 

We will use <f> as a meta-variable for assignments, which are functions from Var to 7Z. 
We write cp[R/x] to mean the function (f> updated to map variable x to R £ 7Z. Now for 
any m and 4> with FV(m) C dom((f)), we define the interpretation [mj^ of m with respect 
to 4> in Figure To ensure that interpretations of types satisfy the first property above 
of reducibility sets, we need to close under <— £ in the last two clauses of the definition (in 
Figured]). Since we are proving normalization, we take the set of normalizing terms as the 
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[T m]^ = {t | Vf g pV t if g [m]*} 

MU = <t>(x) 

lA\t = WN 

[Ax : T.m] = ^ ({Ax : T.t | Vf € [T^. [t'/x]t G \m} mh/x] }) 

[mi m 2 ] = <-J ({ti *2 | ti G [mi]^ A t 2 G [m 2 ]4 



Figure 8: The interpretation of mixed terms 



interpretation of A, similarly to what is standardly done for atomic types (e.g., in Girard's 
proof). 



10.2. Interpretations of Types are Reductibility Sets. In this section, we prove that 
for all types T and <p with FV(T) C dom{4>), we have [T]^, G 1Z. We will elide this condition 
relating T (or instead m) and 4> below. We prove the three properties of reducibility sets 
given in the previous section. The properties must be proved in order, as later properties 
depend on earlier ones. The first property is needed in a more general form, for any mixed 
term m, and not just types T. The second two properties are only needed for types. 
The proofs in this section are similar to those used for the standard definition of typing, 
except that there, they are usually proved by mutual induction. Here we can prove them 
independently, though in sequence, due to the simpler form of the second property. While 
the development in this section is similar to the usual one, in the next section we will see 
something significantly different. 

Lemma 10.1. <-J [m] C [m] 

Proof. The proof is by structural induction on m. If m is a A-abstraction, or application, 
the desired property follows by idempotence of <— f as an operator on sets of terms. If m is 
a variable x, then the property follows by the same property for 4>(x), since we stipulated 
assignments map variables to elements of 1Z. If <f> = A, then we must prove 

H ( WN) C WN 

But this just amounts to the obvious fact that if t' — >| t and t is weakly normalizing, then 
t' is also weakly normalizing. 

Finally, suppose m is T =>■ ml for some mf . Assume an arbitrary t G [T => m']^,, and 
arbitrary if with if — t. We must show if G [T m'J^. To do this, by the definition of the 
interpretation of =>-terms, it suffices to consider arbitrary t" G [T]^, and show t' t" G [m'J^. 
We have t t" G [m']L by the definition of the interpretation of =>-terms. Then we get the 
desired conclusion by the induction hypothesis on mf, since t t" t' t" . □ 

Lemma 10.2. [T]^ ^ 

Proof. The proof is by structural induction on T. If T is A, then the desired property holds 
immediately, since x is in WN = [A]^. So suppose T = T\ T 2 , for some T\ and T 2 . We 
must exhibit some t G pi T^. By the induction hypothesis applied to T 2 , there exists 
some t' G [T 2 ]^,. Now take Ax : T\.if for the required term t, where we assume x FV(t'). 
We just have to confirm that Ax : T\.t' G pi =4* T 2 ]^. So assume arbitrary i" G pi]^,, 
and show (Ax : T\.t') if' G [T 2 ]^. By Lemma fl0.1|. it suffices to prove if G [T^]^, since 
(Ax : Ti.t') t" ->* b if. But we are assuming if G [T 2 ]^,. □ 
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Lemma 10.3. [T]^ C WN 

Proof. The proof is again by structural induction on T, and is trivial when T is A. So 
suppose T = T\ => T2, and assume arbitrary t G [Ti =4> Tb]^,. We must show t G WN. 
By Lemma |10.2|, we know there exists some term i' G pij^. Then by the definition of the 
interpretation of =^-terms, t tf G [^2]^. By the induction hypothesis applied to T2, we then 
have t t' G WN. But this implies t G WN, as required. □ 

Corollary 10.4. [T]^ G K 

The above lemmas have proved that \T\a satisfies the three properties for membership in 
7Z. In the next section, we will also need the following lemma, whose proof is routine and 
omitted: 

Lemma 10.5 (Semantic Substitution). [[T/xJm]^ = [m-l^p^/z] 

10.3. The Abstraction Theorem. In this section, we prove a remarkable theorem, from 
which the normalization property for typable terms will follow as a corollary. For any mixed 
terms m and m', and any <f> with FV(m) C dom(<p), we have: 

Theorem 10.6 (Abstraction Theorem), m — > a m! => I'm} 4, Q l m '}4> 

Note that well-definedness of [m'J^ in the statement of the theorem follows from the assump- 
tion about 4> and the observation that abstract reduction cannot introduce new variables. 

This theorem is remarkable because it reflects the essence of abstraction: the gathering of 
different concrete entities under the same abstract one. The Abstraction Theorem shows 
that abstract reduction is increasing the set of concrete terms which are collected under a 
mixed (and so partially abstract) term. In the next section, we will see how to conclude 
normalization from this theorem. 

Proof of Theorem \10.6l It suffices to prove by structural induction on m that for all <j> and 
for all m and m! where m is a redex and m! its contractum: 

m[m] — > a m[m'] — > [m[m]]^ C [m[m']]^ 

Case: rh = mi rri2, where the hole is in mi. The case where the hole is in m,2 is similar, 
so we omit it. To show the required [mi[m] m^],^ C [mi[m'] m2]</,, consider arbitrary 
t G [mi[m] m2]f By the definition of the interpretation of applications, we must have 
t\ G [mi[m]]0 and t% G [m2^ with t — >l t\ ^2- Now by the induction hypothesis applied to 
mi we have: 

[mi[m]]0 C [m^m']]^ 

This implies t\ t% G [mi[m'] ra2]^ From this, we obtain the desired t G |mi[m'] 1712]^ by 
the definition of the interpretation of applications. 

Case: m = Xx : T.mi, for some x, T, and mi, with the hole in mj. Consider an arbitrary 
t G {Xx : T.mi[m]]L. By the definition of the interpretation of A-abstractions, this implies 
that there exists a term t\ such that t — >■£ Ax : T.t\ and for all t" G p 1 ]^, we have [t"/x]ti G 
I™i[ m ]]^[[T]^/i]' We must show t G [Ax : T.mifm']]^. By the definition of the interpretation 
of A-terms and Lemma Il0.lt it suffices to prove (Ax : T.t\) t" G ["iilw-'ll^tpl^/x] f° r 
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arbitrary t" G [T]^. Again applying Lemma Il0.ll we can see it suffices to prove [t"/x]ti G 
[mi[m / ]]0[[ r j^/ :r .]. This now follows by the induction hypothesis applied to context m±. 

Case: rh = *. Now we must distinguish the two cases for an abstract reduction. 

Case 1. Suppose that we have 

Ax : T.m — s> a T [T/x]m 

We must prove [Ax : T.mj^ C [T =>■ [T/x]m]^. So assume arbitrary i G [Ax : T.mJ^,, 
and show t £ [T [T/x]m]^. To show that, it suffices to consider arbitrary t" G Pl<£, 
and prove i i" G [[T/xJm]^. By the definition of the interpretation of A-abstractions, we 
have t — ^ Ax : T.t', for some t', with [t"/x]t' G [ m l</>[[T]0/:r] f° r au S Pl</>- Since 
t t" ->| [t"/x]t', it suffices by Lemma ED] just to prove [t"/x]t' G \[T/x\m\ <t) . This follows 
from the fact just derived, applying also Lemma ll0.51 

Case 2. Suppose that we have 

(T => m) T — > a m 

Assume an arbitrary t G [(T => m) TJ^. By the definition of the interpretation of applica- 
tions, we then have that there exists t\ G [T => m]^ and £2 £ Pl</> such that t — >l t\ ti- 
We must show t G [m]^. By the definition of the interpretation of =>-terms, we obtain 
t\ t2 G [mj^,. By Lemma [10. 1| this suffices to establish t G [mj^, since t — >•£ t\ □ 

10.4. Concluding Normalization. Using the Abstraction Theorem, we can obtain the 
main result that typable terms are normalizing. First, we need this helper lemma stating 
that standard terms are in their own interpretations: 

Lemma 10.7. Consider an arbitrary standard term t and assignment (ft, as well as function 
a from variables to standard terms. Suppose also that for all x G FV(t), we have a(x) G 
4>(x). Then we have at G [ij^,. 

Proof. The proof is by structural induction on t. If t is a variable x, then we have ax G 4>(x) 
by assumption. If t is of the form Ax : T.ti, then the definition of the interpretation of mixed 
terms tells us: 

[Ax : T.ti] =H ({Ax : T.t' | W G PV [i'Vxjf G {t^}) 

To show that <rAx : T.t\ is itself a member of the set on the right-hand side of this equation, it 
suffices to consider an arbitrary t" G [TJ^, and show [t" / x\(at\) G Pl]^[[TL/o;]- Here we can 
apply the induction hypothesis for t\, with a[t"/x] and 0[[T]^/x]. The two substitutions 
still satisfy the required properties. Finally, if t is of the form t\ t2, the result easily 
follows from the induction hypothesis applied to t\ and also to £2, and the definition of the 
interpretation of applications. □ 
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Theorem 10.8 (Normalization for Typable Terms). For all closed standard terms t and 
types T, if t ^* T, then t G WN. 

Proof. By Lemma [10,7l we have t G [t] . Then by iterated application of Theorem 110.61 we 
know that [t] C [T] . By Lemma (^3 [T] C WN. Putting these facts together, we get 
this chain of relationships, which suffices: 

*e M0 c [TJ c wn 

□ 



10.5. Summary of The Standard Proof. Here, we summarize Guard's proof of strong 
normalization, for purposes of comparison [12] . This proof is based on the usual judgment 
r h t : T for STLC. One first defines an interpretation of types: 

t G Reck O t£SN 

t G Red T ^ T > O Vt' G Redr- (t t') G Redr> 

This does not require use of a function <j> as above (though the standard proof for System 
F does). For this interpretation of types, one then proves these three properties, by mutual 
structural induction on the type T mentioned in all three properties: 

(1) Red T (t) =>- SN(t). 

(2) Red T (t) => Red T (next(t)). 

(3) If t is neutral, then Redr(next(t)) => Redr(t). 

A term is neutral iff it is not a A-abstraction. The third property implies that all the 
variables are in Redx for every T. Finally, one derives the following different theorem in 
place of the Abstraction Theorem: 

Theorem 10.9 (Reducibility). Suppose {xi : T\,...,x n : T n } h t : T, and consider 
arbitrary t% G Red^, for all i G {1, . . . , n}. Then [ti/x%, . . . , t n /x n ] t G Redr- 

Now we can obtain as a corollary that r h t : T implies t G SN, since Redb Q SN by the 
first property above, and a substitution a replacing x by x satisfies the required condition, 
since all variables are included in all sets Redx- 

10.6. Discussion. The main difference in the rewriting-based development and the stan- 
dard one is in deriving the Abstraction Theorem. The form of the theorem is completely 
different from Theorem 110.91 One nice technical feature is that for the proof of the Abstrac- 
tion Theorem, we did not need to apply a substitution to terms inhabiting interpretations 
of types, as we did for Theorem 110.91 We still needed to use the idea of such a substitution, 
but it appeared only in a simple helper lemma, namely Lemma 110.71 This is an advantage 
of the rewriting-based version, since the substitution does not clutter up the proof of the 
central result. One disadvantage of the rewriting-based version is that we needed the func- 
tion (j) and Lemma [10.5l - but this is not such a significant disadvantage, since those devices 
are needed when we move to System F in the standard development anyway. 
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11. Conclusion 

We have seen how rewriting techniques can be used to develop the meta-theory of simple 
types. Typing is treated as a small-step abstract reduction relation, and type safety, based 
on type preservation and progress theorems, can be established by analysis of the interac- 
tions between abstract and concrete reduction steps. A crucial ingredient of our approach 
to type preservation, as defined by Theorem 15. 1\ is to have a confluent abstract reduction 
relation. For simply typed lambda calculus, this was a trivial matter, but we saw a more 
complex example, where applying automated confluence-checking tools developed in the 
term-rewriting community was able to automate this part of the type preservation proof. 
Confluence of the combination of abstract and concrete reduction for typable terms is an 
easy corollary of type preservation (Theorem 15. 3p . We have also seen how to adapt a stan- 
dard proof of normalization for simply typed terms, for the rewriting approach to typing. 
For this proof, mixed terms are interpreted as sets of standard terms, and the crucial in- 
sight is embodied in the Abstraction Theorem, which shows that those sets are enlarged by 
reduction of the corresponding mixed terms. 

There are many avenues for future work. First, the rewriting approach should be 
applied to more advanced type systems, including ones with impredicative polymorphism. 
Dependent type systems pose a particular challenge, because from the point of view of 
abstract reduction, il-bound variables must play a dual role. When computing a dependent 
function type Tlx : T. T' from an abstraction Ax : T.t, we may need to abstract x to 
T, as for STLC; but we may also need to leave it unabstracted, since with dependent 
types, x is allowed to appear in the range type T'. It would also be interesting to see if 
there are consequences of the rewriting approach to typing when applied to proofs via the 
Curry-Howard isomorphism. Theorem 110.61 (Abstraction) shows how the set of proofs in 
the meaning of a mixed proof term (part proof and part formula) increases as the term is 
abstracted. Certainly, the present methods yield the syntactic capability to incrementally 
transform a proof to the theorem it proves. This could already be valuable in practice 
for efficient proof checking, for example of large proofs produced by SAT or SMT solvers 

(cf- EU). 

It would be interesting to go further in automating proofs of type preservation based 
on the rewriting approach. While the Programming Languages community has invested 
substantial effort in recent years on computer-checked proofs of properties like type safety 
for programming languages (initiated particularly by the POPLmark Challenge [1]), there 
is relatively little work on fully automatic proofs of type preservation (an example is [19J). 
The rewriting approach could contribute to filling that gap, since the methods we used 
above for analyzing interactions of abstract and concrete steps to prove type preservation 
are similar to those used for proving confluence of combined reduction. 

Our longer term goal is to use this approach to design and analyze type systems for 
symbolic simulation. In program verification tools like Pex and KeY, symbolic simulation 
is a central component (6j[23]. But these systems do not seek to prove that their symbolic- 
simulation algorithms are correct. Indeed, the authors of the KeY system argue against 
expending the effort to do this [7]. The rewriting approach promises to make it easier to 
relate symbolic simulation, viewed as an abstract reduction relation, with the small-step 
operational semantics. 
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